gpg --card-status always create proxy private keys

Alon Bar-Lev alon.barlev at
Mon Feb 13 22:49:54 CET 2017

On 13 February 2017 at 18:15, Peter Lebbing <peter at> wrote:
> I'm not up to speed on all the fine detail. But perhaps there is a
> different alternative that would work for you. GnuPG 2.1 has:
> $ gpg2 --expert --edit-key [KEYID]
> [...]
> > addkey
> Please select what kind of key you want:
>    (3) DSA (sign only)
>    (4) RSA (sign only)
>    (5) Elgamal (encrypt only)
>    (6) RSA (encrypt only)
>    (7) DSA (set your own capabilities)
>    (8) RSA (set your own capabilities)
>   (10) ECC (sign only)
>   (11) ECC (set your own capabilities)
>   (12) ECC (encrypt only)
>   (13) Existing key
> Note option 13. You can use this to add an existing key from an OpenPGP
> smartcard as well. So if you want to add existing keys from a card
> infrastructure emulating an OpenPGP card, I think it could be integrated
> in the same way you can, now with 2.1, add existing keys on real OpenPGP
> cards. This was a workflow that didn't exist in 2.0.

Hi Peter,

Similar option was possible in 2.0 using addcardkey.
I checked this as well, and it actually works nicely.
However, it is insufficient...
I am unsure I like the master key to exist outside of the hardware...
This is egg and chicken as the master key cannot be enrolled per the
issue I am experiencing.
Also unfortunately, rpm does not support signing using subkeys.

Do you know other magics? I searched maybe to take a subkey and
promote it to primary key somehow... did not find sane sequence.

Maybe instead of "card-edit/generate" there should be "card-edit/use
existing" or something?

I still think that the simplest solution is to override whatever in
~/.gnupg/private-keys-v1.d and not fail if same key hash exists, this
requires a small code change of gnupg.


More information about the Gnupg-devel mailing list